SB2013071101 - Gentoo update for HAProxy

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2013-1912)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection rules, and running with rewrite rules that appends to requests, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted pipelined HTTP requests that prevent request realignment from occurring.

2) Input validation error (CVE-ID: CVE-2013-2175)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201307-01